Cybersecurity researchers have revealed details of a malicious Go module designed to harvest passwords, create persistent access via SSH, and distribute a Linux backdoor named Rekoobe.
Go module, github[.]com/xinfeisoft/crypto impersonates the legitimate “golang.org/x/crypto” codebase, but injects malicious code into the remote endpoint that is responsible for leaking secrets entered via the terminal’s password prompt, and retrieves and executes shell scripts in response.
“This activity falls under namespace confusion and spoofing of the legitimate golang.org/x/crypto subrepository (and its GitHub mirror github.com/golang/crypto),” said socket security researcher Kirill Boychenko. “Legitimate projects identify go.googlesource.com/crypto as canonical and treat GitHub as a mirror. Threat actors exploit this distinction to routinely show github.com/xinfeisoft/crypto in their dependency graphs.”
Specifically, the backdoor is placed within the “ssh/terminal/terminal.go” file so that whenever the victim application calls ReadPassword(), a function whose purpose is to read input such as passwords from the terminal, that information is captured for interactive secrets.
The main role of the downloaded script is to act as a Linux stager, add the threat actor’s SSH keys to the ‘/home/ubuntu/.ssh/authorized_keys’ file, set the iptables default policy to ACCEPT to ease firewall restrictions, and retrieve additional payloads from external servers while disguising themselves with an .mp5 extension.
Of the two payloads, one is a helper that tests the internet connection and attempts to communicate with the IP address (‘154.84.63’).[.]Socket noted that the program would likely function as a scout or loader.
The second downloaded payload is believed to be Rekoobe, a known Linux Trojan that has been detected in the wild since at least 2015. This backdoor can receive commands from an attacker-controlled server to download further payloads, steal files, and execute a reverse shell. As of August 2023, Rekoobe was being used by Chinese nation-state groups like APT31.
The package is still listed on pkg.go.dev, but the Go security team has taken steps to block it as malicious.
“This campaign is likely to be repeated because it is low effort and high impact, with a similar module hooking the high bound (ReadPassword), using GitHub Raw as a rotation pointer, and then pivoting to curl | sh staging and Linux payload delivery,” Boychenko said.
“Defenders should anticipate similar supply chain attacks targeting other ‘credential edge’ libraries (SSH helpers, CLI authentication prompts, database connectors), as well as indirect attacks through hosting surfaces that rotate infrastructure without republishing code.”
Source link
